More than 600 million users of the popular UC Browser and UC
The UC Browser is developed by UCWeb, a company owned by the Alibaba Group since 2014, and is the world’s fourth most popular mobile browser according to StatCounter.
Researchers at Zscaler were investigating an unusual activity when discovered some questionable connections to a specific domain, 9appsdownloading.. The requests were being made by the
Further investigation allowed the researchers to determine that the UC Browser app was attempting to download an additional Android Package Kit (APK) over an unsecured channel (HTTP over HTTPS). This practice violates the Google Play policy, and the use of an unsecured channel exposes the users to man-in-the-middle attacks. The use of unsecured channels could allow attackers to deliver and install an arbitrary payload on a target device to perform a broad range of malicious activities.
The analysis of the APK revealed that it was available on a
Once installed on a device, the 9Apps app started scanning for
Researchers also pointed out that dropping an APK on external storage (/storage/emulated/0) could allow other apps, with appropriate permissions, to tamper with the APK.
Zscaler shared its findings to Google on August 13 and the discussion on the potential violation lasted until September 25.
On September 27 Google acknowledged the problems and reported them to UCWeb asking the development team to “update the apps and
“It is too early to determine exactly what the Browser developers intended with their third-party APK, but it is clear that they are putting users at risk. And with more than 500 million downloads of UC Browser, that is a significant threat.” concludes the analysis published by ZScaler.
“Because UC Browser downloads an unknown third-party app to devices over unsecured channels, those devices can become victim to man-in-the-middle (MiTM) attacks. Using MiTM, attackers can spy on the device and intercept or change its communications,”
In May, security researcher Arif Khan discovered a browser address bar spoofing flaw in the popular browser apps for Android.
| [adrotate banner=”9″] ||[adrotate banner=”12″]|
(SecurityAffairs – Android, hacking)